What's the difference between Artifact Registry and Container Registry?

Container Registry only handles Docker images and is basically in maintenance mode now. Artifact Registry supports Docker plus Maven, npm, Python packages, Go modules, Helm charts, and more. It also has better security features and doesn't randomly break as often. Google recommends migrating because Container Registry will eventually go the way of Google Reader. Migration tools exist but test them first. **Bottom line**: Container Registry is dead tech walking. Use Artifact Registry or your stuff will break in March 2025.

How do I migrate from Docker Hub?

Create an Artifact Registry repo, update your registry URLs, and push your images. Use `docker tag` and `docker push` to copy stuff over, or set up CI/CD to do it automatically. Remote repositories can cache Docker Hub content, so you don't have to migrate everything at once. Good for gradual transitions when you don't want to break production. **Script it**: Don't manually copy a bunch of images. Write a bash script with `docker tag` and `docker push` in a loop or you'll go insane clicking through the console. Something like this worked for us, YMMV: ```bash #!/bin/bash for tag in $(docker images --format \"table {{.Repository}}:{{.Tag}}\" | grep -v REPOSITORY); do new_tag=\"us-docker.pkg.dev/my-project/my-repo/${tag##*/}\" docker tag $tag $new_tag docker push $new_tag done ```

What formats does it actually support?

Docker images, Maven jars, npm packages, Python wheels, Go modules, Helm charts, Apt/Yum packages, and generic files. Each one works with standard tools (docker, npm, pip, etc.) without weird configuration. **Real shit**: If it's not on this list, you're out of luck. No NuGet, no Conan, no weird proprietary formats. Google supports what Google supports.

How much does vulnerability scanning cost?

About $0.26 per image scan through Artifact Analysis. Adds up fast if you scan everything. Be selective about what you scan unless you have infinite budget. Scanning identifies CVEs in base images, application dependencies, and system packages. Results show up in Security Command Center. **Cost reality**: We were scanning like 200+ images daily (dev builds, feature branches, everything) and got hit with some crazy bill, I think it was like $1,500/month or something. Now we only scan production images with a simple `if [[ \"$BRANCH\" == \"main\" ]]` in our CI pipeline and save over a grand per month.

Can I use this with non-Google CI/CD systems?

Yes. Works with Jenkins, GitLab CI, GitHub Actions, Azure DevOps, CircleCI, whatever. Authentication uses service account keys or Workload Identity Federation. Standard Docker Registry API v2 endpoints mean existing tooling works without changes. **Auth gotcha**: Service account keys work everywhere but expire. Workload Identity is more secure but only works with supported CI systems. Pick your poison.

What are remote and virtual repositories?

Remote repos cache upstream sources like Docker Hub or Maven Central. Improves build performance and availability when upstream services are down (which happens more than they admit). Virtual repos combine multiple repositories behind one URL. Simplifies client config but priority ordering can be confusing. **Lifesaver**: Remote repos saved our ass when Docker Hub went down during a critical deployment. Our builds kept working while everyone else was fucked.

How do I control access?

Google Cloud IAM with predefined roles (Reader, Writer, Admin) or custom roles for specific needs. Apply permissions at project, repository, or artifact level. Service accounts handle CI/CD access. Enterprise identity federation supports SAML/OIDC/Active Directory. **IAM hell**: Start simple with basic roles. Custom IAM policies will drive you insane unless you really need them. Three roles cover 90% of use cases.

What regions are available?

All Google Cloud regions plus multi-regional options (us, europe, asia). Choose based on where your compute resources live to minimize latency and data transfer costs.

How does pricing work?

$0.10/GB/month storage after 0.5GB free. Same-region data transfer is free, cross-region costs $0.01-$0.15/GB depending on locations. Inbound transfer is always free. Use the Google Cloud Pricing Calculator to estimate costs, but remember that storage adds up if you don't clean up old images. **Pricing trap**: Multi-regional costs 2x storage price. Don't use it unless you actually need global replication.

Can I use this in private networks?

VPC Service Controls restrict access to specific networks and prevent data exfiltration. Private Google Access works from private instances without internet. Private Service Connect provides dedicated connections for high-security environments.

How do I set up automated builds with Cloud Build?

Create a `cloudbuild.yaml` config specifying your Artifact Registry repo as the destination. Cloud Build can trigger on code changes, build/test automatically, then push results to your repo. Supports GitHub, Cloud Source Repositories, and Bitbucket integration. **Build gotcha**: Cloud Build timeouts are aggressive (10 minutes default). Your 2GB Node.js build with all those dependencies will fail with a cryptic `Build step 'gcr.io/cloud-builders/docker' failed: context deadline deadline exceeded` error. This especially hits complex multi-stage builds with heavy npm installs or when pulling large base images. Bump it to 20+ minutes in your `cloudbuild.yaml` with `timeout: '1200s'` or suffer mysterious failures.

What backup options exist?

Multi-regional repos automatically replicate across zones and regions. For extra protection, export to Cloud Storage or replicate to multiple repos in different regions. 99.95% SLA for regional repos, 99.99% for multi-regional repos.

How do I monitor usage?

Cloud Monitoring provides metrics for usage, API requests, and errors. Cloud Audit Logs capture all activities for compliance. Integration with Security Command Center shows vulnerability scan results. **Monitoring reality**: The default alerts are garbage and will spam you about irrelevant shit. Set up custom alerts specifically for failed pushes (`artifact_registry_api_request_count` with `response_code != 200`) or you won't know when your CI is actually broken until developers start complaining. We got like 40+ slack notifications about \"registry latency exceeded 500ms\" during normal operation but zero alerts when our entire deployment pipeline was silently failing due to quota limits.

Currently viewing the AI version

Switch to human version

Google Artifact Registry - AI-Optimized Technical Reference

Configuration

Critical Setup Requirements

Project ID naming: Never use underscores in project IDs - Docker daemon will fail with unauthorized: authentication required error
Authentication setup: Always run gcloud auth configure-docker --verbose to avoid Error response from daemon: Get https://gcr.io/v2/: unauthorized failures
Go module configuration: Add GOPRIVATE=us-docker.pkg.dev (or your registry URL) to environment variables to prevent go: reading https://proxy.golang.org/...: 410 Gone errors when Go tries to fetch private modules from public proxy

Production-Ready Settings

Cloud Build timeout: Default 10 minutes will fail for complex builds - increase to 20+ minutes with timeout: '1200s' in cloudbuild.yaml
Retention policies: Mandatory to avoid surprise bills - implement immediately or face $3,100+ monthly charges from accumulated build artifacts
Virtual repository priority: Must set explicitly or defaults to alphabetical instead of latest versions, causing mysterious version conflicts

Supported Formats and Limitations

Supported: Docker images, Maven jars, npm packages, Python wheels, Go modules, Helm charts, Apt/Yum packages
Not supported: NuGet, Conan, proprietary formats - if it's not on the supported list, you cannot use it

Resource Requirements

Cost Structure (December 2024)

Storage: $0.10/GB/month after 0.5GB free tier
Vulnerability scanning: $0.26 per image scan through Artifact Analysis
Data transfer: Free within same region, $0.01-$0.15/GB cross-region
Multi-regional storage: 2x base storage cost

Real-World Cost Examples

Horror story: $3,100 monthly bill from 18 months of retained nightly builds (40-50 services, 1GB+ per image)
Scanning costs: $1,500/month for scanning 200+ daily images - reduced to production-only scanning saves $1,000+/month
Performance: 2GB Docker image pulls in 30 seconds same-region, 2 minutes cross-continent

Repository Architecture Recommendations

Start simple: One repo per environment per team, not per microservice
Avoid: 40-50 repos per microservice becomes management nightmare
Enterprise pattern: Separate repos for dev/staging/prod or per-team

Critical Warnings

Migration Deadlines

Container Registry shutdown: March 18, 2025 - builds will throw 403 Forbidden errors after this date
No grace period: No warnings before service termination

Common Failure Modes

Virtual repo priority confusion: Wrong package versions pulled due to alphabetical default ordering
Retention policy absence: Exponential cost growth from accumulated artifacts
Cross-region placement: Unnecessary data transfer charges and latency
Excessive scanning: Cost explosion from scanning non-production images

Performance Breaking Points

Cloud Build timeouts: Complex multi-stage builds fail at 10-minute default limit
Monitoring alerts: Default alerts generate spam - custom alerts needed for actual failures
Authentication expiry: Service account keys expire, Workload Identity Federation more secure but limited CI system support

Operational Intelligence

When Worth the Investment

Financial services: Vulnerability scanning + SLSA compliance for regulatory requirements
Healthcare: VPC Service Controls for HIPAA compliance
Global teams: Multi-regional repos reduce latency but cost 2x
Disaster recovery: Remote repositories cache public registries, preventing build failures during upstream outages

Decision Criteria vs Alternatives

vs Docker Hub: Better for enterprises needing vulnerability scanning and Google Cloud integration
vs AWS ECR: Multi-format support advantage, equivalent storage costs
vs JFrog Artifactory: Lower cost but fewer formats (6 vs 50+)
vs Azure Container Registry: Lower storage cost ($0.10 vs $0.167/GB), better caching features

Migration Complexity

Docker Registry API v2 compatibility: Standard tools work without modification
Gradual transition possible: Remote repositories enable phased migration
Automation essential: Manual image copying causes operator fatigue - script with docker tag/push loops

Security Implementation Reality

Vulnerability scanning effectiveness: Discovered Log4j vulnerabilities missed by other tools
Scanner thoroughness: Found 800+ vulnerabilities in "hardened" Alpine base images
IAM complexity: Start with basic roles - custom policies create maintenance overhead
VPC Service Controls: Necessary for high-security environments but adds operational complexity

Breaking Points and Failure Modes

Technical Limits

Registry authentication: Breaks with underscore project IDs due to hostname parsing
Go module proxy conflicts: Private modules fail without GOPRIVATE configuration
Build timeout defaults: 10-minute limit insufficient for complex containerized applications
Virtual repository ordering: Alphabetical default breaks version expectations

Cost Explosion Scenarios

Unmanaged retention: 18-month accumulation resulted in $3,100 monthly charges
Excessive scanning: Daily scanning of all images cost $1,500/month vs production-only approach
Multi-regional overuse: 2x storage cost when global replication not actually needed

Monitoring and Alerting Failures

Default alert noise: 40+ notifications about latency during normal operation
Silent failure detection: Zero alerts when deployment pipeline failed due to quota limits
Recommended custom alerts: Monitor artifact_registry_api_request_count with response_code != 200 for actual failures

Google Artifact Registry - AI-Optimized Technical Reference

Configuration

Critical Setup Requirements

Production-Ready Settings

Supported Formats and Limitations

Resource Requirements

Cost Structure (December 2024)

Real-World Cost Examples

Repository Architecture Recommendations

Critical Warnings

Migration Deadlines

Common Failure Modes

Performance Breaking Points

Operational Intelligence

When Worth the Investment

Decision Criteria vs Alternatives

Migration Complexity

Security Implementation Reality

Breaking Points and Failure Modes

Technical Limits

Cost Explosion Scenarios

Monitoring and Alerting Failures

Related Tools & Recommendations

Maven is Slow, Gradle Crashes, Mill Confuses Everyone

GitHub Actions + Docker + ECS: Stop SSH-ing Into Servers Like It's 2015

Amazon ECR - Because Managing Your Own Registry Sucks

Azure Container Registry - Microsoft's Private Docker Registry

Google Kubernetes Engine (GKE) - Google's Managed Kubernetes (That Actually Works Most of the Time)

GKE Security That Actually Stops Attacks

Google Cloud Run vs AWS Fargate: Performance Analysis & Real-World Review

Google Cloud Run - Throw a Container at Google, Get Back a URL

Docker Alternatives That Won't Break Your Budget

GitOps Integration Hell: Docker + Kubernetes + ArgoCD + Prometheus

I Tested 5 Container Security Scanners in CI/CD - Here's What Actually Works

ServiceNow App Engine - Build Apps Without Coding Much

Supermaven - Finally, an AI Autocomplete That Isn't Garbage

npm Threw ERESOLVE Errors Again? Here's What Actually Works

Major npm Supply Chain Attack Hits 18 Popular Packages

npm - The Package Manager Everyone Uses But Nobody Really Likes

I've Been Testing uv vs pip vs Poetry - Here's What Actually Happens

Kubeflow Pipelines - When You Need ML on Kubernetes and Hate Yourself

Fix Helm When It Inevitably Breaks - Debug Guide

Helm - Because Managing 47 YAML Files Will Drive You Insane